US20220060490A1

Movatterモバイル変換

Info

Publication number: US20220060490A1
Application number: US16/999,614
Authority: US
Inventors: Benyamin FARSHTEINDIKER; Assaf Israel; Tomer WEINBERGER
Original assignee: Microsoft Technology Licensing LLC
Current assignee: Microsoft Technology Licensing LLC
Priority date: 2020-08-21
Filing date: 2020-08-21
Publication date: 2022-02-24
Also published as: US11811802B2; WO2022039806A1; EP4200731A1; EP4200731B1

Abstract

A security threat detection system is used to monitor the physical resource usage of a hosted application in a PaaS service in order to detect anomalous behavior indicative of a security threat. The system analyzes the historical usage of the application's physical resources in order to determine the normal range of consumption of a resource by the application. A security threat alert is then provided when the application's resource consumption exceeds the normal range of consumption.

Description

BACKGROUND

Cloud computing services provide powerful environments for customers to develop, run and manage web applications without the complexity of building and maintaining any infrastructure typically associated with developing and launching the applications. Examples of cloud computing services include Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Each of these services has its own benefits and differences.

SaaS service is a centralized software hosting service where a cloud provider licenses software that is hosted by the cloud provider on a subscription basis. The SaaS applications are typically accessed through a web browser and the SaaS service acts as a web delivery service for the application. SaaS is advantageous for companies and employees since it eliminates the time and expense of installing, managing, maintaining, and upgrading the software applications. The software applications are managed from a central location that is accessible through the Internet. SaaS is beneficial for applications that need web and mobile access, for applications that are not used that often, and for organizations that need to launch a web service quickly without the responsibility of operating a data center. The cloud provider maintains the SaaS service which includes the applications, data, runtime, middleware, operating system, virtualization, servers, storage, and networking facilities. The cloud provider also provides the service's security thereby monitoring the computer infrastructure for security threats.

In the IaaS service model, the cloud provider provides the computing infrastructure, such as the virtualization, servers, storage and networking facilities on demand for a customer. The customer pays for the computing resource that it uses thereby avoiding the expense and complexity of buying and maintaining these resources. The customer rents each hardware resource separately and the cloud provider is responsible for managing and maintaining those resources. The customer manages, installs, configures, and updates its own software, operating system, middleware, data, and applications.

The IaaS service is advantageous since it eliminates the expense of purchasing and maintaining the hardware resources of a datacenter. It is an economical solution for organizations that require a computing infrastructure quickly for a limited time period. The customers are responsible for managing the applications, runtime, operating systems, data, and middleware, while the cloud provider maintains the virtualization, servers, storage and networking facilities and the security services for the hardware resources.

In a PaaS environment, the cloud provider offers provisioning and hosting capabilities for a developer to create, host and deploy applications, thereby saving developers from maintaining, configuring, and managing the underlying hardware, software, and provisioning hosting capabilities. The developer's application operates on one or more virtual machines (VMs) running on top of a hypervisor in a host server. The cloud provider manages the runtime, middleware, operating system, virtualization, servers, storage and networking facilities leaving the developer to maintain its applications and data. PaaS is advantageous since it offers low infrastructure and development costs, rapid time-to-deployment, and on-demand and scalable resources.

However, in the PaaS service, the customer is responsible for the security of the application and the cloud provider is responsible for the security of the computing infrastructure. Although the cloud provider may provide traditional security controls for identity, authentication, and authorization, there still lies the potential for malicious security threats to the application that may go undetected.

SUMMARY

This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

An application threat detection system is used to monitor the resource usage of a hosted application in a PaaS service in order to detect anomalous behavior indicative of a security threat. A cloud provider hosts the application in a virtual machine where the application has no visibility to the physical resource consumption of the application. The application threat detection system analyzes the historical usage of the application's physical resources in order to determine the normal consumption of a physical resource by the application. Statistic models are generated that represent the normal usage of a resource by the application and then used to detect in real time any anomalous behavior. A security threat alert is provided when a statistical model indicates that the application's resource consumption is not within the normal range.

These and other features and advantages will be apparent from a reading of the following detailed description and a review of the associated drawings. It is to be understood that both the foregoing general description and the following detailed description are explanatory only and are not restrictive of aspects as claimed.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a schematic diagram illustrating an exemplary application security monitoring and detection system for a PaaS service.

FIG. 2 is a schematic diagram illustrating an exemplary detection mechanism that utilizes an application usage profile and/or a customer usage profile to detect a security threat to a PaaS service.

FIG. 3 is a flow chart illustrating an exemplary method of monitoring and detecting a PaaS application for security threats.

FIG. 4 is a flow chart illustrating an exemplary method of determining the normal resource usage of an application.

FIG. 5 is a flow chart illustrating an exemplary method of determining the normal resource usage of a customer.

FIG. 6 is a block diagram illustrating an exemplary operating environment.

DETAILED DESCRIPTION

Overview

The subject matter disclosed pertains to the security monitoring and detection of the anomalous behavior of an application running as a PaaS service. The cloud service provider manages the computing infrastructure or platform (e.g., runtime, operating system, middleware, virtualization, servers, storage, and networking facilities) for the developer of the application (i.e., customer, user) to develop, run, and manage the application and data with no access or visibility into the physical resources used by the application. The developer is responsible for the security of the application and its data while the cloud service provider maintains the security of the computing infrastructure.

The application or PaaS service runs on a virtual machine that is isolated from other virtual machines. There may be several instances of the application with each instance residing in a different virtual machine hosted in numerous, distinct servers. In one aspect, an application security threat detection module is provided on each virtual machine to monitor the usage behavior of the application's resources in order to detect a security threat. The application security threat detection module resides in kernel space thereby having access to and visibility to the physical resource consumption of the application.

The detection of a resource's behavior is compared with the application's typical consumption of the resource. The resource's behavior is represented by a statistic (e.g., threshold, centroid) that is used to signal a security threat. A security threat or threat is a potential attack that may lead to the misuse or disclosure of the information or resources of the application. For example, once the virtual machine is running with an open port, the application is susceptible to a brute force attack or port scanning These attacks may be detected when the application use of the open port increases beyond its normal consumption.

The application is monitored during a designated training period to compute a mathematical model of the typical usage of the application's physical resources. The model includes a statistic to represent a normal usage value for CPU/processor usage, memory usage, average number of network packets transmitted, the maximum size of the network packets transmitted, the frequency of transmission of the network packets, and/or the number of open ports. The model also includes usage data, such as the Internet Protocol (IP) addresses of the transmitted network packets and open port numbers used during the execution of the application.

The application's historical resource usage obtained during the training period may come from various resource logs that a cloud service generates to monitor the security of the computing infrastructure. The resource logs are analyzed for each resource that each instance of an application uses in order to determine the statistic and usage data that represents the normal resource usage of an application.

It should be noted that the description of the techniques and components described herein utilizes terminology of the Azure® cloud computing service. However, this description is not constrained to this particular cloud computing service and the techniques, components and method disclosed herein are applicable to any cloud computing service.

Attention now turns to a further discussion of the system, devices, components, and methods that monitor and detect security threats for a PaaS application.

System

FIG. 1 illustrates anexemplary system100 in which various aspects of the invention may be practiced. In one aspect, thesystem100 is implemented in acloud service101 that includes one ormore cloud servers102 that interact withcomputing devices104 of the users of the cloud service through anetwork106. Thecomputing devices104 include aweb browser108 which facilitates communication with the one ormore cloud servers102.

Acloud service101 is a service available on demand for users through a publicly-accessible network106, such as the Internet. In one aspect, acloud service101 hosts the resources of multiple tenants. A tenant may be an organization, entity, business unit within an organization, a group of users within an organization, and the like. A tenant hosts resources for use by its customers. A tenant contains resources, such as virtual machines, applications, application programming interfaces (APIs), storage accounts, services, etc. that are grouped into a subscription. A subscription is an object that represents a folder where the resources reside. A tenant may have many subscriptions. As shown inFIG. 1, a tenant has asubscription141 having

resource groups

142A,142B whereresource group142A containsresources144A-144B andresource group142B containsresources144C-144D.

Thecloud service101 hosts the tenant's subscriptions and controls access to the resources contained within a subscription. A subscription may be fee-based or free and lasts for a designated length of time. Examples of a cloud service include without limitation, Microsoft Azure®, Google Cloud Platform™ service, iCloud®, and the like.

A resource is an entity that is managed by the cloud service, such as a virtual machine, virtual network, storage account, database, web-accessible application, and services. Resources belong to a resource group which is a logical grouping of the resources so that they can be managed as a single entity.

Thecloud service101 consists of one ormore cloud servers102. Acloud server102 includes one or more virtual machines110a-110n(“110”), avirtualization layer112, aresource mapping layer146, andphysical resources114. A virtual machine110 is a resource that uses software to emulate a computer to run application software. The virtual machine110 has auser space136, where the user's applications and data run, and akernel space138, where the operating system-level functions run outside of the user space and are not accessible from the user space. The virtual machine110 includes a hosted application in a PaaS computing environment116a-116n(“116”), logfiles140a-140n(“140”), a host operating system118a-118n(“118”), an applicationthreat detection module120a-120n(“120”), and an application resource usage profile122a-122n(“122”).

The application hosted in the virtual machine116 is often constructed as a web service. The activity of the application may be monitored and recorded in alog file140. Thelog file140 contains all the actions performed on a resource144. A resource144 writes an entry in thelog file140 each time an access and use are made to the resource144. There may be one resource log per subscription, per resource group or per resource. An entry in alog file140 may identify the subscription identifier, the resource group, and the actions performed on a particular resource. For example, an entry may be formatted as follows: /sub/subid/resourcegroup/RG1R2/read, where sub indicates subscription, subid indicates the subscription identifier, resourcegroup indicates a resource group, RG1R2 indicates resource group1 and resource2, and read indicates that a read operation was performed on resource2 in resource group1 of subscription identifier subid.

The applicationthreat detection module120 builds a usage profile122 for the hosted application116 from the various monitoring data collected on the cloud server. The usage profile122 may pertain to the resource usage of a particular application or to the resource usage of the customer's applications. The usage profile122 includes the models and usage data used to detect a security threat.

The virtual machine110 operates in an isolated environment without access to other virtual machines, applications and resources outside of the virtual machine. The developer manages the application and has no access or visibility to the host operating system118, the applicationthreat detection module120, the application resource usage profile122, thevirtualization layer112, theresource mapping layer146, and thephysical resources114.

Thevirtualization layer112 includes the virtualized resources, a hypervisor, and the system operating system. The hypervisor creates the virtual machine and the virtualized resources used by the application. The virtualized resources are mapped to physical resources by the hypervisor and stored in resource mapping files148 of theresource mapping layer146. Aresource mapping file148 stores the relationship between a virtual resource and a tuple consisting of an identifier of the physical resource, the virtual machine assigned the physical resource and the process identifier that consumes the physical resource, virtual resource: <physical resource, virtual machine, process identifier>. A process is an instance of a program that is running on a computer. The process may include multiple threads of execution that perform the instructions of the program concurrently. The process identifier is a unique value that identifies the instance of the application that is running on a particular virtual machine.

Thephysical resources114 include one or more CPUs orprocessors124, one ormore memory device126, one ormore storage devices128, one or more applications116, and one or more network interfaces130. A further description of the CPUs/processors124,memory devices126,storage devices128, andnetwork interfaces130 is described in further detail below.

Thecloud server102 hassecurity monitoring tools132 that collect data on the usage of the various physical resources. The data collected from thesecurity monitoring tools132 is stored in various resource logs134. The security monitoring tools may include Event Tracing For Windows (ETW) which is a kernel-level tracing facility that monitors kernel or application-defined events to a log file. The kernel-level tracing facility traces events, from a configured start time to an end time, for such events as TCP/UDP events, memory page faults, file I/O events, disk I/O events, thread events, virtual memory allocation, etc. In addition, thesecurity monitoring tools132 may include agents that collect data from security events, such as login events, process creation, file access, etc. For example, in Azure, there is a Microsoft Monitoring Agent and an OMS Linux agent that collects data from security events. In addition, Microsoft Defender Advanced Threat Protection collects file creation, file deletion, and network events.

The data from thesesecurity monitoring tools132 is collected into various resource logs134. The applicationthreat detection module120 obtains the data from the resource logs134 and mines the data to obtain the logged data that relates to the physical resources used by a target application.

Methods

Attention now turns to a description of the various exemplary methods that utilize the system and devices disclosed herein. Operations for the aspects may be further described with reference to various exemplary methods. It may be appreciated that the representative methods do not necessarily have to be executed in the order presented, or in any particular order, unless otherwise indicated. Moreover, various activities described with respect to the methods can be executed in serial or parallel fashion, or any combination of serial and parallel operations. In one or more aspects, the method illustrates operations for the systems and devices disclosed herein.

Turning toFIG. 2, in one aspect, the applicationthreat detection module120 generates an application usage profile206 for a specific application from resource logs of the application. During an initial training period, the resource logs from execution of the application is analyzed to extractresource usage data202. Theresource usage data202 is then used to generate statistics representing the application's normal resource usage which is stored in an application usage profile206.

In a second aspect, the applicationthreat detection module120 extracts resource usage data from all of the customer'sresources204. The resource logs from execution of the various applications of the customer is analyzed to extract usage data of all of the customer's resources. The extracted data is then used to generate statistics representing a customer's typical resource usage which is stored in a customer usage profile208.

FIG. 3 is an exemplary method for monitoring and detecting a security threat to a PaaS application. In one aspect, the system monitors the resource consumption of a target application to obtain historical resource usage data during an initial or training period of time. The historical resource usage data is used to create an application usage profile for the application (block302). In a second aspect, the system monitors the resource consumption of all the resources used by the customer's applications in order to compute a customer usage profile for the customer (block302).FIG. 4 illustrates an exemplary method for building an application usage profile andFIG. 5 illustrates an exemplary method for building a customer usage profile.

Turning toFIG. 4, the applicationthreat detection module120 initiates thesecurity monitoring tools132 to monitor the resources used in the execution of a target application during the initial training period. The historical resource usage data obtained is stored in various resource log files134 and logfiles140 during the initial training period. The resource log files may come from various sources, such as servers, networks, etc. (Collectively, block402).

The virtual resources that are consumed by a target PaaS application are identified by the applicationthreat detection module120. Thecloud service101 includes a mechanism (e.g., module, API, or service) that identifies the virtual resources allocated to the virtual machine that runs an application. Each virtual resource is identified with a Uniform Resource Identifier (URI). For example, the resource identifier or URI may be in a format such as the following: /subscriptions/resourceGroups/resource-group-name/resource-type/resource-name. (Collectively, block404).

The applicationthreat detection module120 maps each virtual resource consumed by the virtual machine to the physical resource and process that consumes the virtual resource. The usage data in the resource log files is relative to a physical resource and process identifier. The virtual machine that runs the application uses virtual resources. In order to obtain the application's physical resource consumption, the applicationthreat detection module120 maps each virtual resource consumed by the application to where the virtual resource is being used, which is the corresponding physical resource and process identifier that is using the corresponding virtual resource. The process identifier is an identifier of the process executing the application. (Collectively, block406).

The applicationthreat detection module120 obtains the virtual resource identifier for each virtual resource. For example, Azure provides an API, Get Resource By ID, which returns the virtual identifier of a resource when given the resource URI. The virtual resource identifier is then mapped to its corresponding physical resource. (Collectively, block406).

Alternatively, the cloud service may use the resource mapping files to map virtual resources to a particular physical resource. For example, an instance of the PaaS application is considered as a resource which the resource mapping layer maps to the tuple including the server identifier, virtual machine identifier and process identifier, <server identifier, virtual machine identifier, process identifier>. (Collectively, block406).

The mapping to a physical resource includes the process identifier of the process that is using the virtual resource. The applicationthreat detection module120 then searches the resource log files for the process identifier to obtain the historical usage data of a resource associated with the process. (Collectively, block406).

Once the usage data for each resource is obtained, the applicationthreat detection module120 computes the normal usage of the resource by an application. For resources having measurement values, such as CPU usage and memory usage, a statistic is computed to represent normal resource usage. For other resources that do not utilize measurement values, such as the IP addresses used in the application's transmission or the open port numbers used by an application, a list of those features is collected. (Collectively, block408).

The statistic that represents the normal resource usage may be a threshold or a centroid. A threshold is a numeric value. The threshold represents a value that exceeds the normal range of values. The applicationthreat detection module120 analyzes the collected measurement values and finds the most frequent range of values. A threshold may be a value that exceeds the highest value or lowest value from the collected data or lies outside of a designated percentile of the collected data. (Collectively, block408).

In another aspect, the historical usage data of each resource may be clustered. Clustering is a technique that groups together data items that are similar to each other. Measurement values for a resource that are similar to other data items in a cluster may represent normal usage behavior and those measurement values that are different from the other data items represent abnormal resource usage behavior. In one aspect, K-means clustering may be utilized. The K-means technique uses a predetermined number of clusters, K and a set of initial estimates for the cluster means, and the data set to be clustered. The means or centroids define the parameters of a model. Typically, the K-means evaluation starts with a random choice of cluster centroids or means. Each cluster is represented by its mean and each data item is assigned membership in the cluster having the nearest mean. The measurement data is used to calculate the K-means cluster centroids. Euclidean distance is used as the measure of similarity and is represented mathematically for a data point x and mean μ, as follows: Dist (x, μ)=√{square root over (Σ_i=1^d(x_i−u_i)²)}.

For those resources having measurement values, the K-means evaluation is used to generate a centroid for each cluster. There may be one or more clusters for each resource. For example, a model for a resource may have one cluster that represents normal usage and another cluster that represents abnormal usage. The Euclidean distance between the real-time values and the centroids of each cluster is used to indicate whether the resource usage represents anomalous or normal usage behavior. (Collectively, block408).

For some physical resources, usage data is collected, such as the list of open port numbers, the list of IP addresses network packets are transmitted to, etc. The application usage profile and customer usage profile store the list of these features. The resource usage data for each resource is then stored in the application usage profile. (Collectively, block408).

In some situations, there may be multiple instances of an application with each application instance operating in a distinct virtual machine across multiple cloud servers. In this scenario, the usage data from the resource used by each application instance is obtained. A centralized processor obtains the usage data from each process of each application instance and then analyzed to compute the normal usage behavior of the resource by the application as noted above inFIG. 4.

Turning toFIG. 5, in another aspect, the applicationthreat detection module120 generates resource usage data for the resources used by each application of a customer. Resources of a similar type are grouped together and a statistic is generated for the resource type. For example, disk1/0 is a generic group that covers all types of virtual disks.

The resource usage of each application of a customer is tracked by first determining the resources used by each instance of each PaaS application. The applicationthreat detection module120 initiates monitoring each of these applications (blocks502,504). For each application instance, a mapping is performed to identify the physical resources used by each application instance. The mapping from virtual resource to physical resource is performed as noted above, with respect toFIG. 3

block

306, to find the process identifier in the resource log files. The historical usage data from the resource log files is then collected for each resource type (block508).

The normal resource usage of each resource type is then computed as noted above with respect toFIG. 4, block410 (block510), and the resulting statistic is stored in the customer usage profile (block512).

Turning back toFIG. 3, once the resource usage data for each application or customer is computed, the applicationthreat detection module120 starts to monitor the runtime resource usage of the application or customer (block304). The applicationthreat detection module120 obtains the runtime usage data from the resource logs at periodic intervals and compares the runtime usage data from each resource with the resource usage data stored in the application usage profile for the application or the customer usage profile (block306).

The applicationthreat detection module120 obtains the virtual identifiers of the virtual resources allocated to the virtual machine running the application. The runtime usage data contained in a resource log contains runtime usage data identified by a physical resource identifier and a process identifier. The physical resource is mapped to its corresponding virtual resource identifier and when it matches the virtual resource identifier of a virtual resource used by the application, the runtime usage data is extracted. (Collectively, block306).

The runtime usage data is then compared with the normal usage data stored in the application usage profile or customer usage profile. When the comparison indicates that the value is out of the normal range for the resource, the applicationthreat detection module120 alerts the developer of the application of a potential security breach. (Collectively, block308).

Exemplary Operating Environment

Attention now turns to a discussion of anexemplary operating environment600.FIG. 6 illustrates anexemplary operating environment600 of a cloud computing service havingseveral computing devices602. Acomputing device602 may be any type of electronic device, such as, without limitation, a mobile device, a personal digital assistant, a mobile computing device, a smart phone, a cellular telephone, a handheld computer, a server, a server array or server farm, a web server, a network server, a blade server, an Internet server, a work station, a mini-computer, a mainframe computer, a supercomputer, a network appliance, a web appliance, a distributed computing system, multiprocessor systems, or combination thereof. The operatingenvironment600 may be configured in a network environment, a distributed environment, a multi-processor environment, or a stand-alone computing device having access to remote or local storage devices.

Acomputing device602 may include one ormore processors606, one ormore network interfaces608, one ormore storage devices610, one or more input/output devices612, and one ormore memory devices614. Aprocessor606 may be any commercially available or customized processor and may include dual microprocessors and multi-processor architectures. Anetwork interface608 facilitates wired or wireless communications between thecomputing device602 and other devices. Astorage device610 may be computer-readable medium that does not contain propagating signals, such as modulated data signals transmitted through a carrier wave. Examples of astorage device610 include without limitation RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage, all of which do not contain propagating signals, such as modulated data signals transmitted through a carrier wave. There may bemultiple storage devices610 in thecomputing device602. The input/output devices612 may include a keyboard, mouse, pen, voice input device, touch input device, display, speakers, printers, etc., and any combination thereof.

Amemory device614 may be any non-transitory computer-readable storage media that may store executable procedures, applications, and data. The computer-readable storage media does not pertain to propagated signals, such as modulated data signals transmitted through a carrier wave. It may be any type of non-transitory memory device (e.g., random access memory, read-only memory, etc.), magnetic storage, volatile storage, non-volatile storage, optical storage, DVD, CD, floppy disk drive, etc. that does not pertain to propagated signals, such as modulated data signals transmitted through a carrier wave. Amemory device614 may also include one or more external storage devices or remotely located storage devices that do not pertain to propagated signals, such as modulated data signals transmitted through a carrier wave.

Thememory device614 may contain instructions, components, and data. A component is a software program that performs a specific function and is otherwise known as a module, program, component, and/or application. Thememory device614 may include one or morevirtual machines616, with each virtual machine including one ormore applications618, alog file620, ahost operating system622, an applicationthreat detection module624, and anapplication usage profile626. Thememory device614 also includes ahypervisor628, asystem operating system630,virtual resources632,security monitoring tools634, resource logs636, resource mapping files638, and other applications anddata640.

Acomputing device602 may be communicatively coupled via anetwork606. Thenetwork606 may be configured as an ad hoc network, an intranet, an extranet, a virtual private network (VPN), a local area network (LAN), a wireless LAN (WLAN), a wide area network (WAN), a wireless WAN (WWAN), a metropolitan network (MAN), the Internet, a portions of the Public Switched Telephone Network (PSTN), plain old telephone service (POTS) network, a wireless network, a WiFi® network, or any other type of network or combination of networks.

Thenetwork606 may employ a variety of wired and/or wireless communication protocols and/or technologies. Various generations of different communication protocols and/or technologies that may be employed by a network may include, without limitation, Global System for Mobile Communication (GSM), General Packet Radio Services (GPRS), Enhanced Data GSM Environment (EDGE), Code Division Multiple Access (CDMA), Wideband Code Division Multiple Access (W-CDMA), Code Division Multiple Access 2000, (CDMA-2000), High Speed Downlink Packet Access (HSDPA), Long Term Evolution (LTE), Universal Mobile Telecommunications System (UMTS), Evolution-Data Optimized (Ev-DO), Worldwide Interoperability for Microwave Access (WiMax), Time Division Multiple Access (TDMA), Orthogonal Frequency Division Multiplexing (OFDM), Ultra Wide Band (UWB), Wireless Application Protocol (WAP), User Datagram Protocol (UDP), Transmission Control Protocol/Internet Protocol (TCP/IP), any portion of the Open Systems Interconnection (OSI) model protocols, Session Initiated Protocol/Real-Time Transport Protocol (SIP/RTP), Short Message Service (SMS), Multimedia Messaging Service (MMS), or any other communication protocols and/or technologies.

Conclusion

A system is disclosed having one or more processors; and a memory that stores one or more programs that are configured to be executed by the one or more processors, the one or more programs including instructions that: host an application as a Platform-as-a-Service (PaaS) web service in a virtual machine using virtual resources, the PaaS web service unaware of physical resources associated with the virtual resources; obtain an application usage profile for the PaaS web service, the application usage profile having one or more statistics, a statistic representing normal consumption of a physical resource used by the PaaS web service; monitor runtime usage of a first physical resource during execution of the PaaS web service; correlate the first physical resource to a corresponding virtual resource used during operation of the PaaS web service via a process identifier of the PaaS web service; compare the runtime usage of the first physical resource with a corresponding statistic; and upon the comparison indicating an anomaly, initiate a warning of the anomaly.

In an aspect, the one or more programs include further instructions that: obtain historical resource consumption of the PaaS web service; derive a threshold for one or more of the physical resources consumed by the PaaS web service; and store the threshold in the application usage profile for the PaaS web service. In an aspect, the one or more programs include further instructions that: obtain historical resource consumption of the PaaS web service; cluster the historical resource consumption into one or more clusters for the first physical resource; compute a centroid for the first physical resource; and store the centroid in the application usage profile for the PaaS web service.

In an aspect, the application usage profile includes one or more of processor consumption, memory consumption, number and types of disk I/O events, number of network packets transmitted, frequency of network packets transmitted, largest size of network packets transmitted, Internet Protocol (IP) addresses used in network packets transmitted, or identity of open ports. In an aspect, the statistic includes a threshold for the first physical resource and the one or more programs include further instructions to detect when the threshold for the first physical resource is exceeded during runtime usage of the PaaS web service.

In an aspect, the one or more programs include further instructions that: detect the anomaly when the runtime usage of the first physical resource exceeds a distance from a centroid representing normal usage consumption of the first physical resource. In an aspect, the statistic is derived from runtime usage of the first physical resource during multiple instances of the PaaS web service. In an aspect, the multiple instances of the PaaS web service operate on different virtual machines in different servers.

A method is disclosed comprising: configuring an application as a Platform as a Service (PaaS) web service in a virtual machine with virtual resources, wherein the PaaS web service is isolated from identity of physical resources consumed by the PaaS web service; during a training period, monitoring usage of the physical resources consumed by the PaaS web service; correlating the virtual resources used by the application to corresponding physical resources using a process identifier of a process hosting an instance of the PaaS web service; generating a mathematical model of normal resource consumption of at least one physical resource consumed by the PaaS web service; using the mathematical model during runtime execution of the PaaS web service to detect abnormal behavior in runtime resource consumption of the at least one physical resource by the PaaS web service; and generating an alert when the abnormal behavior is detected.

In an aspect, the method further comprises: monitoring resource usage of the PaaS web service across all instances of the PaaS web service. In an aspect, the method further comprises: monitoring processor consumption and memory consumption of the PaaS web service. In an aspect, the method further comprises: monitoring features of network usage of the PaaS web service, the features including a number of network packets transmitted, sizes of the network packets transmitted, open ports, and Internet Protocol (IP) addresses used.

In an aspect, the method further comprises monitoring features of disk I/O usage of the PaaS web service, the features including identity of files accessed and a number of I/O operations made. In an aspect, the mathematical model of the normal resource consumption of the at least one physical resource consumed by the PaaS web service is derived from historical resource usage of the at least one physical resource by the PaaS web service during the training period. In an aspect, the mathematical model of normal resource consumption of the at least one physical resource consumed by the PaaS web service is derived from clustering historical resource usage of the at least one physical resource by the PaaS web service during the training period.

A device is disclosed having one or more processors and a memory. The memory includes a virtual machine configured to: execute a Platform as a Service (PaaS) web service in the virtual machine, the PaaS web service utilizing virtual resources with no visibility to associated physical resources; obtain normal usage data of the physical resources used by the PaaS web service; extract runtime usage data of at least one physical resource used by the PaaS web service by mapping a virtual resource corresponding to the at least one physical resource through a process identifier of a process running an instance of the PaaS web service application on the virtual machine; and determine a security threat when the runtime usage data of the at least one physical resource exceeds the normal usage data of the at least one physical resource.

In an aspect, the virtual machine is further configured to: analyze historical resource usage data of a first physical resource used by the PaaS web service to generate a threshold; and detect the security threat when the runtime usage data for the first physical resource exceeds the threshold. In an aspect, the virtual machine is further configured to: analyze historical resource usage data of the first physical resource to generate a centroid representing a measurement value of normal behavior of the fist physical resource when used by the application; and detect the security threat when the runtime usage data for the first physical resource exceeds a distance from the centroid.

In an aspect, the normal usage data represents processor consumption, memory consumption, number of network packets transmitted, frequency of network packets transmitted, number of disk I/O events, largest size of network packets transmitted, Internet Protocol (IP) addresses used in network packets transmitted, and/or identity of open ports. In an aspect, the historical usage data is derived from runtime usage of the physical resources across multiple instances of the PaaS web service.

Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims

What is claimed:

1. A system comprising:

one or more processors; and

a memory that stores one or more programs that are configured to be executed by the one or more processors, the one or more programs including instructions that:

host an application as a Platform-as-a-Service (PaaS) web service in a virtual machine using virtual resources, the PaaS web service unaware of physical resources associated with the virtual resources;

obtain an application usage profile for the PaaS web service, the application usage profile having one or more statistics, a statistic representing normal consumption of a physical resource used by the PaaS web service;

monitor runtime usage of a first physical resource during execution of the PaaS web service;

correlate the first physical resource to a corresponding virtual resource used during operation of the PaaS web service via a process identifier of the PaaS web service;

compare the runtime usage of the first physical resource with a corresponding statistic; and

upon the comparison indicating an anomaly, initiate a warning of the anomaly.

2. The system ofclaim 1, wherein the one or more programs include further instructions that:

obtain historical resource consumption of the PaaS web service;

derive a threshold for one or more of the physical resources consumed by the PaaS web service; and

store the threshold in the application usage profile for the PaaS web service.

3. The system ofclaim 1, wherein the one or more programs include further instructions that:

obtain historical resource consumption of the PaaS web service;

cluster the historical resource consumption into one or more clusters for the first physical resource;

compute a centroid for the first physical resource; and

store the centroid in the application usage profile for the PaaS web service.

4. The system ofclaim 1, wherein the application usage profile includes one or more of processor consumption, memory consumption, number and types of disk I/O events, number of network packets transmitted, frequency of network packets transmitted, largest size of network packets transmitted, Internet Protocol (IP) addresses used in network packets transmitted, or identity of open ports.

5. The system ofclaim 1, wherein the statistic includes a threshold for the first physical resource,

wherein the one or more programs include further instructions to detect when the threshold for the first physical resource is exceeded during runtime usage of the PaaS web service.

6. The system ofclaim 1, wherein the one or more programs include further instructions that:

detect the anomaly when the runtime usage of the first physical resource exceeds a distance from a centroid representing normal usage consumption of the first physical resource.

7. The system ofclaim 1, wherein the statistic is derived from runtime usage of the first physical resource during multiple instances of the PaaS web service.

8. The system ofclaim 7, wherein the multiple instances of the PaaS web service operate on different virtual machines in different servers.

9. A computer-implemented method, comprising:

configuring an application as a Platform as a Service (PaaS) web service in a virtual machine with virtual resources, wherein the PaaS web service is isolated from identity of physical resources consumed by the PaaS web service;

during a training period, monitoring usage of the physical resources consumed by the PaaS web service;

correlating the virtual resources used by the application to corresponding physical resources using a process identifier of a process hosting an instance of the PaaS web service;

generating a mathematical model of normal resource consumption of at least one physical resource consumed by the PaaS web service;

using the mathematical model during runtime execution of the PaaS web service to detect abnormal behavior in runtime resource consumption of the at least one physical resource by the PaaS web service; and

generating an alert when the abnormal behavior is detected.

10. The computer-implemented method ofclaim 9, further comprising:

monitoring resource usage of the PaaS web service across all instances of the PaaS web service.

11. The computer-implemented method ofclaim 9, further comprising:

monitoring processor consumption and memory consumption of the PaaS web service.

12. The computer-implemented method ofclaim 9, further comprising:

monitoring features of network usage of the PaaS web service, the features including a number of network packets transmitted, sizes of the network packets transmitted, open ports, and Internet Protocol (IP) addresses used.

13. The computer-implemented method ofclaim 9, further comprising:

monitoring features of disk I/O usage of the PaaS web service, the features including identity of files accessed and a number of I/O operations made.

14. The computer-implemented method ofclaim 9, wherein the mathematical model of the normal resource consumption of the at least one physical resource consumed by the PaaS web service is derived from historical resource usage of the at least one physical resource by the PaaS web service during the training period.

15. The computer-implemented method ofclaim 9, wherein the mathematical model of normal resource consumption of the at least one physical resource consumed by the PaaS web service is derived from clustering historical resource usage of the at least one physical resource by the PaaS web service during the training period.

16. A device, comprising:

one or more processors and a memory;

the memory including a virtual machine configured to:

execute a Platform as a Service (PaaS) web service in the virtual machine, the PaaS web service utilizing virtual resources with no visibility to associated physical resources;

obtain normal usage data of the physical resources used by the PaaS web service;

extract runtime usage data of at least one physical resource used by the PaaS web service by mapping a virtual resource corresponding to the at least one physical resource through a process identifier of a process running an instance of the PaaS web service application on the virtual machine; and

determine a security threat when the runtime usage data of the at least one physical resource exceeds the normal usage data of the at least one physical resource.

17. The device ofclaim 16, wherein the virtual machine is further configured to:

analyze historical resource usage data of a first physical resource used by the PaaS web service to generate a threshold; and

detect the security threat when the runtime usage data for the first physical resource exceeds the threshold.

18. The device ofclaim 16, wherein the virtual machine is further configured to:

analyze historical resource usage data of the first physical resource to generate a centroid representing a measurement value of normal behavior of the fist physical resource when used by the application; and

detect the security threat when the runtime usage data for the first physical resource exceeds a distance from the centroid.

19. The device ofclaim 16, wherein the normal usage data represents processor consumption, memory consumption, number of network packets transmitted, frequency of network packets transmitted, number of disk I/O events, largest size of network packets transmitted, Internet Protocol (IP) addresses used in network packets transmitted, and/or identity of open ports.

20. The device ofclaim 16, wherein the historical usage data is derived from runtime usage of the physical resources across multiple instances of the PaaS web service.